AI in access reviews: what works and what doesn't

AI assistance can cut review time by up to 40% — as long as you know what to use it for. Not as the decision-maker, but as a pre-filter and an explainer.

AI can generate a recommendation for every line in an access review — keep, revoke, or change — complete with reasoning. That sounds like magic. In practice, it's genuinely useful for routine cases, but not for making decisions.

Where AI really helps

• Pre-filtering the boring work. 80% of rows are "apparently unused": last verified 6 months ago, no login activity, looks like standard sales-role drift. AI can flag in 30 seconds: "these 24 rows are high-confidence keep, these 8 are high-confidence revoke, these 12 deserve a closer look."
• Generating explanations. "Why is AI suggesting revoke?" → "Last sign-in 127 days ago, job title does not indicate a need for this system, colleagues in the same role do not have this access." That reasoning becomes your audit evidence.
• Pattern detection. "Everyone in Sales has X, except these 2 people" → possibly a gap, possibly intentional.

Where AI should not be making the call

• Privileged access. Global Admin decisions must always involve a human. AI provides context; a person decides.
• External parties. Contractors, partners, customer logins — context that AI doesn't always have.
• Recently departed employees. Offboarding actions must be explicit, not delegated to AI.

Privacy: what are you actually sending to an LLM?

Send as little as possible to the AI: job title, department, last verified date, number of cells in the matrix. No names, no email addresses if you can avoid it. Our AccessGuard includes a fake-mode for when you don't have an AI key — the workflow runs without any data being sent to OpenAI.

AI is an accelerator in your review process, not a substitute for judgement. Approach it with a clear head and you'll get a lot of value out of it.